Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Network Device Management Security Requirements Guide
SRG-APP-000220
The network device must invalidate session identifiers upon administrator logout or other session termination.
The network device must invalidate session identifiers upon administrator logout or other session termination.
An XCCDF Rule
Details
Profiles
Prose
The network device must invalidate session identifiers upon administrator logout or other session termination.
Medium Severity
<VulnDiscussion>Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries to capture and to continue to employ previously valid session IDs. This requirement is applicable to devices that use a web interface for device management. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. If a device uses a web interface for device management, when an administrator logs out, or when any other session termination event occurs, the device management web application must invalidate the session identifier to minimize the potential for an attacker to hijack that particular management session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>